FAQ-001211 - Manual Security Review vs Automated Scanning / Identifying Missed Vulnerabilities

To identify additional security vulnerabilities not caught by standard scanning tools, developers should implement a comprehensive approach: **Manual Testing Strategies:** 1. **Perform comprehensive manual testing** alongside automated scans to uncover vulnerabilities like logic flaws or edge cases 2. **Conduct thorough manual code reviews** focusing on areas like: - Insecure storage of sensitive data - Improper session ID handling - Direct DOM manipulations - Field-level and object-level security **Follow-the-Data Approach:** 3. **Test all components** of your solution, including: - External endpoints that interact with customer data - All layers of the solution architecture - Components involving authentication and data transfer - API integrations and third-party connections **Advanced Testing Techniques:** 4. **Use specialized tools** like: - Salesforce Code Analyzer with multiple engines (PMD, ESLint, RetireJS) - Dynamic Application Security Testing (DAST) tools - Penetration testing tools 5. **Focus on specific vulnerability types** that scanners commonly miss: - Business logic flaws and application-specific vulnerabilities - Context-specific security issues - Complex security vulnerabilities in solution architecture - Non-standard coding practices - CSRF vulnerabilities and improper CSRF mitigation strategies - Cross-site scripting (XSS) vulnerabilities - SOQL injection vulnerabilities - CRUD and FLS security issues - Open redirect vulnerabilities **Systematic Approach:** 6. **Conduct periodic scans** and testing throughout development lifecycle 7. **Document and validate** false positives with proper context 8. **Follow secure coding guidelines** and industry best practices 9. **Test external endpoints** with proper permissions 10. **Address all potential entry points** in the application This multi-layered approach ensures comprehensive security coverage beyond what automated tools alone can provide.

The FAQ content is largely accurate and comprehensive, but minor improvements enhance clarity and alignment with security scanner capabilities. The most significant change involves removing redundant CSRF-related text ('with proper token validation') to avoid repetition and improve readability. Additionally, I expanded the vulnerability types section to explicitly mention XSS, SOQL injection, CRUD/FLS issues, and open redirect vulnerabilities, which directly aligns with what the Salesforce Code Analyzer detects. Regarding security rules selection: I chose rules that directly correspond to vulnerability types discussed in the FAQ's manual testing recommendations. ApexCRUDViolation and ApexSharingViolations relate to the FAQ's mention of 'Field-level and object-level security.' ApexSOQLInjection, ApexXSSFromEscapeFalse, and ApexXSSFromURLParam connect to the FAQ's discussion of vulnerabilities that scanners might miss. ApexCSRF relates to the FAQ's specific mention of 'CSRF vulnerabilities and improper CSRF mitigation strategies.' ApexOpenRedirect and ApexInsecureEndpoint align with the FAQ's guidance on testing 'external endpoints' and various vulnerability types. VfCsrf and VfUnescapeEl support the Visualforce security aspects of comprehensive testing. The @lwc/lwc/no-inner-html rule relates to the FAQ's mention of 'Direct DOM manipulations' in Lightning Web Components.